Skip to content

Switch off cargo audit#6009

Open
ShadowCurse wants to merge 3 commits into
firecracker-microvm:mainfrom
ShadowCurse:switch_off_cargo_audit
Open

Switch off cargo audit#6009
ShadowCurse wants to merge 3 commits into
firecracker-microvm:mainfrom
ShadowCurse:switch_off_cargo_audit

Conversation

@ShadowCurse

Copy link
Copy Markdown
Contributor

Changes

Replace crago-audit with crago-deny for the advisory checks. This allows us to skip unnecessary notifications about crates we don't use, but which are pulled as dependencies from optional features of other crates.
Also remove .cargo/audit.toml since both ignores are not applicable anymore.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.

  • This functionality cannot be added in rust-vmm.

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.11%. Comparing base (e04e55f) to head (acc3b0f).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #6009   +/-   ##
=======================================
  Coverage   83.11%   83.11%           
=======================================
  Files         277      277           
  Lines       30207    30207           
=======================================
  Hits        25106    25106           
  Misses       5101     5101           
Flag Coverage Δ
5.10-m5n.metal 83.41% <ø> (+<0.01%) ⬆️
5.10-m6a.metal 82.76% <ø> (-0.01%) ⬇️
5.10-m6g.metal 80.08% <ø> (-0.01%) ⬇️
5.10-m6i.metal 83.41% <ø> (ø)
5.10-m7a.metal-48xl 82.76% <ø> (+<0.01%) ⬆️
5.10-m7g.metal 80.08% <ø> (ø)
5.10-m7i.metal-24xl 83.38% <ø> (-0.01%) ⬇️
5.10-m7i.metal-48xl 83.39% <ø> (+<0.01%) ⬆️
5.10-m8g.metal-24xl 80.08% <ø> (-0.01%) ⬇️
5.10-m8g.metal-48xl 80.08% <ø> (ø)
5.10-m8i.metal-48xl 83.39% <ø> (ø)
5.10-m8i.metal-96xl 83.39% <ø> (+<0.01%) ⬆️
6.1-m5n.metal 83.44% <ø> (ø)
6.1-m6a.metal 82.79% <ø> (ø)
6.1-m6g.metal 80.08% <ø> (-0.01%) ⬇️
6.1-m6i.metal 83.44% <ø> (ø)
6.1-m7a.metal-48xl 82.78% <ø> (ø)
6.1-m7g.metal 80.08% <ø> (ø)
6.1-m7i.metal-24xl 83.44% <ø> (ø)
6.1-m7i.metal-48xl 83.45% <ø> (+<0.01%) ⬆️
6.1-m8g.metal-24xl 80.07% <ø> (-0.01%) ⬇️
6.1-m8g.metal-48xl 80.08% <ø> (ø)
6.1-m8i.metal-48xl 83.45% <ø> (-0.01%) ⬇️
6.1-m8i.metal-96xl 83.45% <ø> (ø)
6.18-m5n.metal 83.43% <ø> (ø)
6.18-m6a.metal 82.78% <ø> (-0.01%) ⬇️
6.18-m6g.metal 80.08% <ø> (-0.01%) ⬇️
6.18-m6i.metal 83.44% <ø> (+<0.01%) ⬆️
6.18-m7a.metal-48xl 82.78% <ø> (ø)
6.18-m7g.metal 80.08% <ø> (-0.01%) ⬇️
6.18-m7i.metal-24xl 83.45% <ø> (-0.01%) ⬇️
6.18-m7i.metal-48xl 83.45% <ø> (ø)
6.18-m8g.metal-24xl 80.08% <ø> (ø)
6.18-m8g.metal-48xl 80.08% <ø> (ø)
6.18-m8i.metal-48xl 83.45% <ø> (ø)
6.18-m8i.metal-96xl 83.46% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ShadowCurse ShadowCurse force-pushed the switch_off_cargo_audit branch 2 times, most recently from 4f3ab6f to 04aa60a Compare July 1, 2026 12:44
@ShadowCurse ShadowCurse marked this pull request as ready for review July 1, 2026 13:17
@ShadowCurse ShadowCurse self-assigned this Jul 1, 2026
@ShadowCurse ShadowCurse added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Jul 1, 2026
`cargo-audit` goes through all crates in the Cargo.lock which includes
crate which are pulled as transitive dependencies of some crates but not
used in any of our binaries. Switching to `crago-deny` fixes this since
it only checks crates which are a part of our dependencies tree for our
binaries.

Similar to `cargo-audit`, we need to install `cargo-deny` each time to
avoid a possibility of it breaking if advisory database suddenly updates
the format it uses. But for the sake of speed, we now install with
`--debug` flag to install debug binary (install in this case means
"compile"). This saves time and does not affect the result.

`cargo-audit` is also used in the license check test, but that test is
fine using the potentially older version of the tool from the devctr.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
All ignores are not applicable anymore:
- `gdbstub` - resolved upstream
  daniel5151/gdbstub#168
- `rand` - moved to deny.toml
- `anyhow` - is not directly used by our crates and `cargo-deny`
  correctly ignores it

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
The `gdbstub` relies on the `managed` crate which is OBSD.
This license is compatible with MIT, so allow list it.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
@ShadowCurse ShadowCurse force-pushed the switch_off_cargo_audit branch from be7d742 to acc3b0f Compare July 1, 2026 13:25
)
return findings

utils.run_cmd("cargo install --locked cargo-deny --debug")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this not installed on the dev container?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we had an issue in the past when the rustsec updated the format they use for reports, but the older version of cargo-audit we had in a container was too old and could not parse the new format. So instead we decided to just install the tool on each run.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would the same concern apply to cargo deny?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PS: I see test_dependency_licenses is already calling cargo deny without re-installing it.

Also, since we use --locked here, I guess it won't even install new versions if available

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The install step will install a newer version over the old one. The test_dependency_licenses should be fine using the version from devctr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Status: Awaiting review Indicates that a pull request is ready to be reviewed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants